SEC325BitLocker™ Drive Encryption Deployment

SEC325BitLocker™ Drive Encryption Deployment

Laura BenofskyLaura BenofskyLead Program ManagerLead Program ManagerWindows Security-System IntegrityWindows Security-System Integrity

AgendaAgenda

Business ImpactBusiness Impact

BitLocker™ OverviewBitLocker™ Overview

BitLocker™ RequirementsBitLocker™ Requirements

BitLocker™ Deployment Process BitLocker™ Deployment Process

BitLocker™ Administration & RecoveryBitLocker™ Administration & Recovery

Best PracticesBest Practices

Q&AQ&A

A large multi-national company, A large multi-national company, who wishes to remain who wishes to remain

anonymous, loses an average anonymous, loses an average of one corporate laptop per of one corporate laptop per business day in the taxicabs business day in the taxicabs

of just one US city… of just one US city…

The U.S. Dept of Justice estimates that intellectual The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004property theft cost enterprises $250 billion in 2004

Loss of revenue, market capitalization, and Loss of revenue, market capitalization, and competitive advantagecompetitive advantage

Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassing

Unintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or adversely impact the company’s image and/or credibilitycredibility

Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be Bringing a company into compliance can be complex and expensivecomplex and expensiveNon-compliance can lead to significant legal fees, Non-compliance can lead to significant legal fees, fines and/or settlementsfines and/or settlements

FinancialFinancialFinancialFinancial

Image & Image & CredibilityCredibilityImage & Image &

CredibilityCredibility

Legal & Legal & Regulatory Regulatory ComplianceCompliance

Legal & Legal & Regulatory Regulatory ComplianceCompliance

Information Loss Is CostlyInformation Loss Is CostlyInformation loss – whether via theft or Information loss – whether via theft or accidental leakage – is costly on several accidental leakage – is costly on several levelslevels

BitLocker™ Drive Encryption OverviewBitLocker™ Drive Encryption Overview

BitLocker™ Design GoalsBitLocker™ Design Goals

BitLocker™ Drive Encryption gives you improved data BitLocker™ Drive Encryption gives you improved data protection on your Windows Vista and Windows Server protection on your Windows Vista and Windows Server codenamed “Longhorn” systemscodenamed “Longhorn” systems

Notebooks – Often stolen, easily lost in transitNotebooks – Often stolen, easily lost in transit

Desktops – Often stolen, difficult to safely decommissionDesktops – Often stolen, difficult to safely decommission

Servers – High value targets, often kept in insecure Servers – High value targets, often kept in insecure locationslocations

All three can contain very sensitive IP and customer dataAll three can contain very sensitive IP and customer data

Designed to provide a transparent user Designed to provide a transparent user experience that requires little to no interaction on experience that requires little to no interaction on a protected systema protected system

Prevents thieves from using another OS or Prevents thieves from using another OS or software hacking tool to break OS file and system software hacking tool to break OS file and system protectionsprotections

Prevents offline viewing of user data and OS filesPrevents offline viewing of user data and OS files

Provides enhanced data protection and boot validation Provides enhanced data protection and boot validation through use of a Trusted Platform Module (TPM) v1.2through use of a Trusted Platform Module (TPM) v1.2

BitLocker™ and TPM FeaturesBitLocker™ and TPM Features

BitLocker™ Drive BitLocker™ Drive EncryptionEncryption

Encrypts entire volumeEncrypts entire volumeUses Trusted Platform Uses Trusted Platform Module (TPM) v1.2 to Module (TPM) v1.2 to validate pre-OS validate pre-OS componentscomponentsCustomizable protection Customizable protection and authentication and authentication methodsmethods

Pre-OS ProtectionPre-OS ProtectionUSB startup key, PIN, and USB startup key, PIN, and TPM-backed authenticationTPM-backed authentication

Single Microsoft Single Microsoft TPM DriverTPM Driver

Improved stability Improved stability and securityand security

TPM Base Services (TBS) TPM Base Services (TBS) Enables third party Enables third party applicationsapplications

Active Directory BackupActive Directory BackupAutomated key backupAutomated key backupto AD serverto AD server

Group Policy supportGroup Policy support

Scriptable InterfacesScriptable InterfacesTPM managementTPM management

BitLocker™ managementBitLocker™ management

Command-line toolCommand-line tool

Secure DecommissioningSecure DecommissioningWipe keys and repurposeWipe keys and repurpose

What Is A Trusted Platform What Is A Trusted Platform Module (TPM)?Module (TPM)?

Smartcard-like moduleSmartcard-like module

on the motherboard that:on the motherboard that:Performs cryptographic functionsPerforms cryptographic functions

RSA, SHA-1, RNGRSA, SHA-1, RNG

Meets encryption export requirementsMeets encryption export requirements

Can create, store and manage keysCan create, store and manage keysProvides a unique Endorsement Key Provides a unique Endorsement Key (EK)(EK)

Provides a unique Storage Root Key Provides a unique Storage Root Key (SRK)(SRK)

Performs digital signature Performs digital signature operationsoperations

Holds Platform Measurements Holds Platform Measurements (hashes)(hashes)

Anchors chain of trust for keys Anchors chain of trust for keys and credentialsand credentials

Protects itself against attacksProtects itself against attacks

TPM 1.2 spec: TPM 1.2 spec: www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org

Why Use A TPM?Why Use A TPM?

Trusted Platforms use Roots-of-TrustTrusted Platforms use Roots-of-TrustA TPM is an implementation of a Root-of-TrustA TPM is an implementation of a Root-of-Trust

A hardware Root-of-Trust has distinct advantagesA hardware Root-of-Trust has distinct advantagesSoftware can be hacked by SoftwareSoftware can be hacked by Software

Difficult to root trust in software that has to validate itselfDifficult to root trust in software that has to validate itself

Hardware can be made to be robust against attacksHardware can be made to be robust against attacksCertified to be tamper resistantCertified to be tamper resistant

Hardware and software combined can protect root secretsHardware and software combined can protect root secretsbetter than software alonebetter than software alone

A TPM can ensure that keys and secrets are only A TPM can ensure that keys and secrets are only available for use when the environment is available for use when the environment is appropriateappropriate

Security can be tied to specific hardware and software Security can be tied to specific hardware and software configurationsconfigurations

BootBoot

Windows Partition ContainsWindows Partition Contains Encrypted OSEncrypted OS Encrypted Page FileEncrypted Page File Encrypted Temp FilesEncrypted Temp Files Encrypted DataEncrypted Data Encrypted Hibernation FileEncrypted Hibernation File

Boot PartitionBoot Partition Contains: MBR, Loader, Contains: MBR, Loader, Boot Utilities (Unencrypted, small)Boot Utilities (Unencrypted, small)

Where’s the Encryption Key?Where’s the Encryption Key?

1.1. SRKSRK (Storage Root Key) contained in (Storage Root Key) contained in TPMTPM

2.2. SRKSRK encrypts encrypts VEKVEK (Volume (Volume Encryption Key) protected by Encryption Key) protected by TPM/PIN/DongleTPM/PIN/Dongle

3.3. VEKVEK stored (encrypted by stored (encrypted by SRKSRK) on ) on hard drive in Boot Partitionhard drive in Boot Partition

VEKVEK22

33

WindowsWindows

SRKSRK

11

Disk Layout & Key StorageDisk Layout & Key Storage

Volume Blob of Target OS unlocked

All Boot Blobs unlocked

Static OS

BootSector

BootManager

Start OS

OS Loader

BootBlock

PreOS

BIOS

MBR

TPM Init

BitLocker™ ArchitectureBitLocker™ ArchitectureStatic Root of Trust Measurement of early boot Static Root of Trust Measurement of early boot componentscomponents

BitLockerTM in Windows VistaBitLockerTM in Windows Vista

BitLocker™ Requirements and DeploymentBitLocker™ Requirements and Deployment

Hardware RequirementsHardware Requirements

Trusted Platform Module (TPM) v1.2.Trusted Platform Module (TPM) v1.2.TCG-compliant (Trusted Computing Group) v1.2 BIOS.TCG-compliant (Trusted Computing Group) v1.2 BIOS.The system BIOS must support both reading and writing The system BIOS must support both reading and writing small files on a USB flash drive in the pre-operating system small files on a USB flash drive in the pre-operating system environment.environment.Computer must have at least two volumes to operate: Computer must have at least two volumes to operate:

Operating System VolumeOperating System VolumeMust be NTFSMust be NTFSContains Windows OS and its support files. Data on this Contains Windows OS and its support files. Data on this volume is protected by BitLocker. volume is protected by BitLocker.

System VolumeSystem VolumeMust be NTFS, must differ from OS Volume, must NOT be Must be NTFS, must differ from OS Volume, must NOT be encryptedencryptedContains hardware-specific files that are needed to load Contains hardware-specific files that are needed to load Windows after the BIOS has booted the platformWindows after the BIOS has booted the platform

Deployment ProcessDeployment Process

PlanPlanReview Existing Review Existing InfrastructureInfrastructure

Hardware RequirementsHardware Requirements

Check for Hardware Check for Hardware RequirementsRequirements

Key TPM ConceptsKey TPM Concepts

Talk with your OEMTalk with your OEM

BitLocker ProtectorsBitLocker Protectors

Define BitLocker Define BitLocker ConfigurationConfiguration

Define Security PolicyDefine Security Policy

Configure Active DirectoryConfigure Active Directory

Configure Group PolicyConfigure Group Policy

DeployDeployBitLocker Ready OS ImageBitLocker Ready OS Image

TPM Configuration ScriptTPM Configuration Script

BitLocker Configuration BitLocker Configuration ScriptScript

SupportSupportBitLocker ServicingBitLocker Servicing

Review Existing Review Existing Infrastructure Infrastructure

How and when are new machines configured?How and when are new machines configured? eg. OEM preconfigured, PXE boot WinPE, staging environment, eg. OEM preconfigured, PXE boot WinPE, staging environment,

etc…etc…

Do you plan to deploy BitLocker on non-TPM Do you plan to deploy BitLocker on non-TPM machines?machines?

What is the OS Deployment method used?What is the OS Deployment method used? eg. Imaging, unattended setupeg. Imaging, unattended setup

What is the Application Delivery Method?What is the Application Delivery Method? eg. Integrated with Image, scripted unattend install etc…eg. Integrated with Image, scripted unattend install etc…

How are updates/patches being applied? How are updates/patches being applied?

Plan

Deploy

Support

Key TPM ConceptsKey TPM Concepts

Physical PresencePhysical PresencePhysical presence implies direct interaction by Physical presence implies direct interaction by a person with the platform to perform basic a person with the platform to perform basic administrative tasks and to bootstrap administrative tasks and to bootstrap management and access control mechanismsmanagement and access control mechanisms

Endorsement KeyEndorsement KeyEndorsement key(EK) is an RSA key pair. A Endorsement key(EK) is an RSA key pair. A given TPM must be associated with one and given TPM must be associated with one and only one EK for a TPM to function properlyonly one EK for a TPM to function properly

TPM StatesTPM StatesOn – The TPM should be enabled and activated. This On – The TPM should be enabled and activated. This requires Physical Presencerequires Physical PresenceOwned/Un-owned – A platform is owned when an EK Owned/Un-owned – A platform is owned when an EK exists and the true owner knows owner authorization exists and the true owner knows owner authorization data. BDE cannot use the TPM until it is in owned statedata. BDE cannot use the TPM until it is in owned state

Plan

Deploy

Support

Talk with your OEMTalk with your OEM

What is the state of the TPM when it is shipped to What is the state of the TPM when it is shipped to your organization?your organization?

Is the Endorsement Key already on the TPM?Is the Endorsement Key already on the TPM?

Does the OEM provide tools to automate Does the OEM provide tools to automate management management of TPM?of TPM?

How does the OEM implement Physical Presence?How does the OEM implement Physical Presence?

Do the existing machines without TPM devices Do the existing machines without TPM devices support USB devices at boot time?support USB devices at boot time?

Plan

Deploy

Support

Define Security PolicyDefine Security Policy

Recovery ScenariosRecovery ScenariosBroken Hardware Recovery ScenarioBroken Hardware Recovery Scenario

Hard drive moves to new systemHard drive moves to new system

Recovery using Control PanelRecovery using Control Panel

Attack Detected Recovery ScenarioAttack Detected Recovery ScenarioModified or Missing Boot Loader FilesModified or Missing Boot Loader Files

Boot mode RecoveryBoot mode Recovery

Missing Windows Critical Components ScenarioMissing Windows Critical Components ScenarioWinRE RecoveryWinRE Recovery

Recovery policiesRecovery policiesDefine policies per supported BitLocker configuration Define policies per supported BitLocker configuration

Develop recovery process flow per supported configuration Develop recovery process flow per supported configuration

In the event of recovery… determine root cause and track In the event of recovery… determine root cause and track

Recovery process should include identity checks for support Recovery process should include identity checks for support calls calls

Consider recovery material un-secure after used by non-secure Consider recovery material un-secure after used by non-secure party party

Regenerate new recovery material after use Regenerate new recovery material after use

Plan

Deploy

Support

Define Security PolicyDefine Security Policy

Key management policyKey management policyBackup recovery passwords to Active Directory Backup recovery passwords to Active Directory Consider using Recovery Keys along with Recovery Consider using Recovery Keys along with Recovery Passwords Passwords Save Recovery Keys to central location for support Save Recovery Keys to central location for support purposes purposes Backup key material to secure offline storage Backup key material to secure offline storage

Machine Retirement PolicyMachine Retirement PolicyForce Recovery on a drive without invalidating any saved Force Recovery on a drive without invalidating any saved recovery methodsrecovery methodsForce Recovery on a drive and invalidate all saved Force Recovery on a drive and invalidate all saved recovery methodsrecovery methodsRun Vista Format on a driveRun Vista Format on a drive

Automatically deletes all BitLocker key structures and then Automatically deletes all BitLocker key structures and then formats the driveformats the driveAvailable starting RC1Available starting RC1

Plan

Deploy

Support

Configure Active Configure Active DirectoryDirectory

To store BitLocker recovery information in active To store BitLocker recovery information in active directory: directory:

All domain controllers in the domain must be at least All domain controllers in the domain must be at least Windows Server 2003 SP1Windows Server 2003 SP1

Apply schema extensions to support additional attributesApply schema extensions to support additional attributes

If you have a Windows Longhorn domain controller in If you have a Windows Longhorn domain controller in your environment the schema extensions are already in your environment the schema extensions are already in place and no update is neededplace and no update is needed

Configure permissions on BitLocker and TPM Recovery Configure permissions on BitLocker and TPM Recovery Information Schema ObjectsInformation Schema Objects

If you have more than one AD forest, extend the If you have more than one AD forest, extend the schema in each forest that will have BitLocker schema in each forest that will have BitLocker machines machines

Give read permissions to users that will assist in Give read permissions to users that will assist in the event of recoverythe event of recovery

Plan

Deploy

Support

Configure Group PolicyConfigure Group Policy

BitLocker group policy settings include:BitLocker group policy settings include:Turn on AD backup of BDE recovery information Turn on AD backup of BDE recovery information

Turn on AD backup of TPM recovery informationTurn on AD backup of TPM recovery information

Configure UI experience Configure UI experience

Consider enabling power management Consider enabling power management control for BitLocker enabled machinescontrol for BitLocker enabled machines

Limit machines from automatically enter sleep Limit machines from automatically enter sleep (default)(default)

Keep users from changing this configurationKeep users from changing this configuration

Plan

Deploy

Support

BitLocker Ready OS Image BitLocker Ready OS Image

To create OS Image To create OS Image Install Windows Vista on a reference Machine that meets Install Windows Vista on a reference Machine that meets BitLocker partition requirements. Install any applications.BitLocker partition requirements. Install any applications.

Run Sysprep and generalize the machineRun Sysprep and generalize the machine

Boot into Windows PE to capture the system and OS partition Boot into Windows PE to capture the system and OS partition using ImageXusing ImageX

For unattended installation replace the default Vista wim file For unattended installation replace the default Vista wim file with new OS wim file created in the previous step. Now initiate with new OS wim file created in the previous step. Now initiate unattend install using PXE Boot, Windows PE Boot etc…unattend install using PXE Boot, Windows PE Boot etc…

For Image based deployment create the partitions using For Image based deployment create the partitions using diskpart. Use ImageX to apply the System and OS wim files diskpart. Use ImageX to apply the System and OS wim files created earlier to the partitionscreated earlier to the partitions

WAIK and OPKWAIK and OPKEnsure that BitLocker partitions are defined within the Setup Ensure that BitLocker partitions are defined within the Setup Node when you are describing Vista Setup via System Image Node when you are describing Vista Setup via System Image ManagerManager

SMS OSD Vista update does not support multi-partition. You SMS OSD Vista update does not support multi-partition. You will need to write a script that uses Diskpart to create the will need to write a script that uses Diskpart to create the required partitionsrequired partitions

Plan

Deploy

Support

TPM Configuration ScriptTPM Configuration Script

Computer with TPM 1.2 for which EK has been Computer with TPM 1.2 for which EK has been created by OEM. Need to turn on the TPM and created by OEM. Need to turn on the TPM and take ownership. take ownership.

Using Manage-BDEUsing Manage-BDEManage-bde.wsf Manage-bde.wsf –tpm –TurnOn–tpm –TurnOn

Manage-bde.wsf Manage-bde.wsf –tpm –TakeOwnership Password–tpm –TakeOwnership Password

Using WMIUsing WMICall Call SetPysicalPresenceRequest(10)SetPysicalPresenceRequest(10) to enable, activate and to enable, activate and allow the installation of a TPM owner using physical presence. A allow the installation of a TPM owner using physical presence. A computer restart will be required. computer restart will be required.

Call Call ConvertToOwnerAuthConvertToOwnerAuth to create owner authorization to create owner authorization valuevalue

Call Call TakeOwnershipTakeOwnership to set an owner for the TPM to set an owner for the TPM

Plan

Deploy

Support

BitLocker Configuration BitLocker Configuration ScriptScript Enable BitLocker using TPM only on a computer that is Enable BitLocker using TPM only on a computer that is

BitLocker compliant. You want to be able to recover the BitLocker compliant. You want to be able to recover the volume in case of attack, computer damage etc…volume in case of attack, computer damage etc…

Using Manage-BDEUsing Manage-BDEManage-bde.wsf Manage-bde.wsf -on -recoverypassword c:-on -recoverypassword c:

Manage-bde.wsf Manage-bde.wsf –status c:–status c:

Using WMIUsing WMICall methods beginning with Call methods beginning with ProtectKey ProtectKey to secure the encryption key for the to secure the encryption key for the volume. Make sure to include key protectors that can be used in recovery volume. Make sure to include key protectors that can be used in recovery scenarios. For example: scenarios. For example:

ProtectKeyWithTPMProtectKeyWithTPM

ProtectKeyWithNumericalPasswordProtectKeyWithNumericalPassword

Call Call EncryptEncrypt to begin conversion of the volume to begin conversion of the volume

Conversion is complete when Conversion is complete when GetConversionStatusGetConversionStatus indicates that the volume indicates that the volume is fully encryptedis fully encrypted

Call Call GetProtectionStatusGetProtectionStatus to ensure that BitLocker protection is on to ensure that BitLocker protection is on

Plan

Deploy

Support

BitLocker ServicingBitLocker Servicing

Things you should know when upgrading components on Things you should know when upgrading components on BitLocker enabled machineBitLocker enabled machineFor BIOS firmwareFor BIOS firmware

BIOS is hashed by the TPM so servicing requires resealing of the BIOS is hashed by the TPM so servicing requires resealing of the keys.keys.Always enter disabled mode prior to BIOS update.Always enter disabled mode prior to BIOS update.Failure to enter disabled mode will trigger recoveryFailure to enter disabled mode will trigger recoveryDisabled mode is an operation mode that does not decrypt the Disabled mode is an operation mode that does not decrypt the drive and allows component upgrades. drive and allows component upgrades.

For OS updatesFor OS updatesPatch sent through Windows UpdatePatch sent through Windows UpdateSignature chain is automatically verified to establish trustSignature chain is automatically verified to establish trustDoes not require entering disabled modeDoes not require entering disabled mode

Other updates (e.g. apps)Other updates (e.g. apps)Patch sent by app/software vendorsPatch sent by app/software vendorsMay require resealing or entering disabled modeMay require resealing or entering disabled mode

Plan

Deploy

Support

BitLocker™ Recovery ScenariosBitLocker™ Recovery Scenarios

Lost/Forgotten Authentication MethodsLost/Forgotten Authentication MethodsLost USB key, user forgets PINLost USB key, user forgets PIN

Upgrade to Core FilesUpgrade to Core FilesUnanticipated change to pre-OS filesUnanticipated change to pre-OS files(BIOS upgrade, etc…)(BIOS upgrade, etc…)

Broken HardwareBroken HardwareHard drive moved to a new systemHard drive moved to a new system

Deliberate AttackDeliberate AttackModified or missing pre-OS filesModified or missing pre-OS files(Hacked BIOS, MBR, etc…)(Hacked BIOS, MBR, etc…)

BitLocker™ Recovery MethodsBitLocker™ Recovery Methods

Recommended method for domain-joined Recommended method for domain-joined machinesmachines

Automate key backups through BitLocker™ SetupAutomate key backups through BitLocker™ SetupConfigure group policy to store keys in Active DirectoryConfigure group policy to store keys in Active Directory

Provides centralized storage and management of keysProvides centralized storage and management of keys

Recommended methods for non domain-joined Recommended methods for non domain-joined machinesmachines

Back up to a USB flash deviceBack up to a USB flash device

Back up to a web-based key storage serviceBack up to a web-based key storage service““Windows Ultimate Extras” – Provides a free key storage Windows Ultimate Extras” – Provides a free key storage service for home users or unmanaged environmentsservice for home users or unmanaged environments

Potential OEM or 3rd-party service for key storagePotential OEM or 3rd-party service for key storage

Back up to a fileBack up to a file

Print or record to physical mediaPrint or record to physical media

BitLocker Best PracticesBitLocker Best Practices

Create and securely store recovery information: Create and securely store recovery information: set up and validate recovery processes that set up and validate recovery processes that include a way to track the number of recovery include a way to track the number of recovery requests, a way to determine root cause of requests, a way to determine root cause of recovery requests and a way to ensure that recovery requests and a way to ensure that requests are from legitimate users. requests are from legitimate users.

Keep BitLocker protection enabled, or turn Keep BitLocker protection enabled, or turn protection off by decrypting the disk; temporarily protection off by decrypting the disk; temporarily disable BitLocker only for planned upgrade disable BitLocker only for planned upgrade scenariosscenarios

Avoid putting your computer in standby or hybrid Avoid putting your computer in standby or hybrid sleep mode; configure your computer to hibernate sleep mode; configure your computer to hibernate or power off or power off

TPM Best PracticesTPM Best Practices

TPM must be physically secured to the TPM must be physically secured to the motherboardmotherboard

TPM that comes from the OEM with an TPM that comes from the OEM with an Endorsement KeyEndorsement Key

A platform that supports direct user input A platform that supports direct user input (not automated) to prove physical (not automated) to prove physical presence when committing important presence when committing important changes to the TPMchanges to the TPM

Initialize the TPM before deploying the Initialize the TPM before deploying the platform to end users when possibleplatform to end users when possible

OEM should digitally sign and verify the OEM should digitally sign and verify the TPM and BIOS firmware patchesTPM and BIOS firmware patches

Additional ResourcesAdditional Resources

Web ResourcesWeb ResourcesWindows Vista BitLocker Client Platform RequirementsWindows Vista BitLocker Client Platform Requirements

http://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockhttp://www.microsoft.com/whdc/system/platform/hwsecurity/BitLockerReq.mspxerReq.mspx

Specs and Whitepapers Specs and Whitepapers http://www.microsoft.com/whdc/system/platform/hwsecurity/default.http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspxmspx

Windows Logo Program TestingWindows Logo Program Testinghttp://www.microsoft.com/http://www.microsoft.com/whdc/GetStart/testing.mspxwhdc/GetStart/testing.mspx

Trusted Computing Group (TCG) WebsiteTrusted Computing Group (TCG) Websitehttp://www.trustedcomputinggroup.orghttp://www.trustedcomputinggroup.org

BitLocker™ Questions or IdeasBitLocker™ Questions or Ideas e-mail: e-mail: bdeinfo@microsoft.combdeinfo@microsoft.com

BitLocker™ BlogBitLocker™ Bloghttp://http://blogs.msdn.com/si_team/default.aspxblogs.msdn.com/si_team/default.aspx

Fill out a session Fill out a session evaluation on evaluation on

CommNet andCommNet and Win an XBOX Win an XBOX

360!360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AppendixAppendix

BitLocker ProtectorsBitLocker ProtectorsTPM TPM A security hardware that provides a hardware-based root of trust and A security hardware that provides a hardware-based root of trust and

can be leveraged to provide a variety of cryptographic services . can be leveraged to provide a variety of cryptographic services . BitLocker only supports TPM v1.2 and above.BitLocker only supports TPM v1.2 and above.

PIN PIN The PIN can have 4 to 20 digits, and internally is stored as a 256-bit The PIN can have 4 to 20 digits, and internally is stored as a 256-bit

hash of the entered Unicode characters. This value is never displayed hash of the entered Unicode characters. This value is never displayed back to the user in any form or for any reason. The PIN is used to back to the user in any form or for any reason. The PIN is used to provide another factor of protection in conjunction with provide another factor of protection in conjunction with TPMTPM authentication.authentication.

Startup Key Startup Key The startup key is an encrypted file that can be stored on USB flash The startup key is an encrypted file that can be stored on USB flash

drive. This protector can be used alone on non-TPM machines or in drive. This protector can be used alone on non-TPM machines or in conjunction with a TPM for added security.conjunction with a TPM for added security.

Recovery Password Recovery Password This protector is a 48 character numeric number that is used to unlock a This protector is a 48 character numeric number that is used to unlock a

volume. This password must be entered at boot time in the event a volume. This password must be entered at boot time in the event a recovery is needed using the function keys.recovery is needed using the function keys.

Recovery Key Recovery Key Key used for recovering data encrypted on a BitLocker volume. This key Key used for recovering data encrypted on a BitLocker volume. This key

is cryptographically equivalent to a Startup Key, and is not the same as is cryptographically equivalent to a Startup Key, and is not the same as the recovery password.the recovery password.

A

1B

2

BitLocker Drive Encryption Components

APrimary VolumeWindow volumeBoot Volume

B Secondary volume (optional)Non boot volume

1 TPMSecure Hardware

2 Startup KeySecondary key

3 PINSecondary key

Recovery Keys

Recovery Password File

Recovery Password

System Requirements: Vista Enterprise or Ultimate, 2 partitions, TCG BIOS

5

4

3

AD

Key ArchitectureKey Architecture